Dependency Confusion occurs when software installer script is tricked into pulling malicious code file from public repository.
How I found this bug?
2/ Recon 🔦
1⃣ I started with some Shodan recon and I found a IP that belongs to TARGET.
2⃣ Using directory brute forcing tools like Dirsearch and FFUF, I found a package.json file contained all the packages which was installed in the server.
URL: /ui/package.json
scant3r is a module-based web security tool, our goal is to make customizable tool with providing many functions and features that what you need for write a security module.... github.com/knassar702/sca…